Competitive comparison

Network detection and response delivers the most comprehensive insight into hidden threats and empowers incident responders to act with confidence. Network traffic analysis is a core technology for detecting hidden threats, but there are several decision criteria that you should consider. Read our detailed comparisons to learn more.

Featured upcoming events

About Vectra

Vectra is the world leader in applying artificial intelligence to detect and respond to cyberattacks in cloud, data center and enterprise infrastructures in real time, while empowering security analysts to perform conclusive incident investigations and AI-assisted threat hunting.

Comprehensive cyberattack detection and response is mandatory in today’s hostile data environments, and the stakes have never been higher. No other company comes close to Vectra in proactively hunting down cyberattackers and reducing business risk.

Our core team consists of threat researchers, white hats, data scientists, network security engineers, and UI designers. We constantly push the boundaries of what's possible to drive the next generation of security.

Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

Threat Behaviors in the Attack Lifecycle

By:

Chris Morales

June 20, 2019

There are multiple phases in an active cyberattack and each is a perilous link in a complex kill-chain that gives criminals the opportunity to spy, spread and steal critical information in native and hybrid cloud workloads and user and IoT devices.

By providing high-fidelity visibility into all workloads and network traffic, the AI-driven Cognito platform from Vectra detects threat behaviors in real time in every phase of the attack lifecycle.

It is critical to know when an attack progresses from one phase to the next. For example, an attack that advances from the internal reconnaissance phase to the lateral movement phase can be more significant than the sum of its parts.

Some events in phases of the attack lifecycle are more indicative of targeted attacks than others. For example, opportunistic botnet monetization behaviors might indicate the presence of crimeware but is not a targeted attack. But internal recon and lateral movement behaviors are strong indicators of targeted attacks.

Following is a breakdown and general description of each phase in the attack lifecycle.

Command and control

C&C behaviors occur when devices appear to be under the control of an external malicious entity. Most often, the control is automated because the device is part of a botnet or has adware or spyware installed. Rarely, but most importantly, a device can be manually controlled by a nefarious outsider. This is the most threatening case and it often means the attack is targeted at a specific organization.

Internal reconnaissance

Reconnaissance attacker behaviors occur when a device is used to map-out the enterprise infrastructure. This activity is often part of a targeted attack, although it might indicate that botnets are attempting to spread internally to other devices. Detection types cover fast scans and slow scans of systems, network ports and user accounts.

Lateral movement

Lateral movement covers scenarios of lateral action meant to further a targeted attack. This can involve attempts to steal account credentials or to steal data from another device. It can also involve compromising another device to make the attacker’s foothold more durable or to get closer to target data. This stage of the attack lifecycle is the precursor to moving into private data centers and public clouds.

Data exfiltration

Data exfiltration behaviors occur when data is sent to the outside in a way that is meant to hide the transfer. Normally, legitimate data transfers do not involve the use of techniques meant to hide the transfer. The device transmitting the data, where it is transmitting the data, the amount of data and the technique used to send it are indicators of exfiltration.

Botnet monetization

Botnets are opportunistic attack behaviors in which a device makes money for its bot herder. The ways in which an infected device can be used to produce value can range from mining bitcoins to sending spam emails to producing fake ad clicks. To turn a profit, the bot herder utilizes devices, their network connections and, most of all, the unsullied reputation of their assigned IP addresses.

About the author

Chris Morales

Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.